- Hiding the low-level components behind a single facade
- The distinction between repository and provisioning is partially hidden from the clients therefore model provides a kind of location transparency.
- Provisioning functionality is not be exposed directly. The provisioning actions are carried out by a modification of user or account object. Therefore the model provides (partial) uniformity of access to all objects.
- Enforce access control policies (with respect to target resources)
- RBAC-based models will maintain roles, their definitions, etc.
- RBAC-based models will enforce creation/deletion of accounts based on role membership
- RBAC-based models may enforce account attributes based on role membership
- the model may implement any mechanism to enforce policies (RuBAC, ABAC, ...) as long as it is usable and consistent.
- Only one model can be active in a specific deployment (models cannot be mixed in the same system)
- Maintain values of virtual attributes
- e.g. attributes implied by role membership, organization, policy, ...
- Handle synchronization changes
- Manage reconciliation